I am trying to implement a custom authentication mechanism in Spring.
I have an authentication mechanism, that works like this:
User visits any subpage of my page http://mypage
User gets redirected to http://mypage/login, because my WebSecurityConfigurerAdapter is configured, that any Request (except to /login and /redirect, has to be authenticated)
On the Login page a custom login mechanism happens, where I authenticate the user on an external site, that redirects the user's browser to the external page and then back to another subpage of my page: /redirect with custom data in the response
On /redirect I set the Authentication of the user, depending on the custom data and add a GrantedAuthority ROLE_FIRST
After this step the user is redirected to subpage /home, which is only visible to authenticated users with GrantedAuthority ROLE_FIRST.
If the user clicks on a button on /home a GrantedAuthority ROLE_SECOND is added to the current Authentication of the user and the user is redirected to /secret
The user is then authenticated with two factors (external login, buttonclick) and can see the content of /secret, which requires an authentication with GrantedAuthority ROLE_SECOND
So far so good, but I now want to redirect the user to the initial URL he tried to access. So if the user visited http://mypage/random in the first step, the user should be redirected to /random instead of /secret in the last step.
The problem is, I am loosing the URL in the step with the external login, because there is happening a external redirect and I can't pass the URL to the external service.
How can I manage this?
Bonus Question: What if the URL /random would be the URL to an OAuth2 Token interface instead? Would that change anything?
Related
Some background:
I am writing a small SPA that will use a back end that I have also written. The JS and the back end API are on the same server.
i.e. SPA will load from foo.com, back end is at foo.com/api
In the past I have always used Spring Security with simple form based login. After logging in the user will get a session cookie. Pretty standard stuff.
For this app I looked into OAuth2 implicit flow. My understanding is the User would load my page, then from the SPA I would direct the user to the authorization endpoint so my app could get a token. The user would be redirected from the authorization endpoint to a login form. After the user authenticated with the form.. they would be redirected back to the authorization endpoint to get the token and possibly grant access to the JS client. After that the user would be redirected to a URL specified by the client, with the new access token as a URL fragment.
I have this working and its all great. The part I don't quite get is this:
When the user is redirected to the login form and they authenticate a session is created on the server that has to at least last long enough for the user to be redirected to the authorization endpoint to get the token. At that point they already have an authenticated session on my server, why not just stop there and use traditional cookie and session based logins?
I am using Spring Security to authenticate with SAML and Okta, generally it works, I am able to authenticate a user and access secured URLs within my application. So far so good.
Now I have a requirement for a special type of 'internal' users to use different authentication mechanism (those users will not be in AD nor Okta) - so if authentication fails using Okta I want to display different login page. Problem is that I am unable to redirect from Okta login page to my custom page after unsuccessful login, seems like Okta will not redirect even after many unsuccessful attempts.
Is there a way to implement such requirement?
You can't redirect Okta on a failed authentication. You will need to determine what type of authentication to use prior to validating the username and password. Okta supports application based custom login page and so when the user tries to access the application, Okta redirects to your login page. From there your login page will determine where to authenticate the user.
Okta configuration for custom login page
You can use Okta's Authentication APIs and SDKs to authenticate against AD and custom code.
I'm using for first time spring security (3.2.0.RELEASE) and spring webflow (2.4.0.RC1).
I have some pages where user can login (through a modal window). This logins should not redirect user, instead modal window should be closed and actual page is refreshed in order to show the name of logged user.
In addition, in my web there is a webflow, in this webflow is where an order is created. As a last view-state the user must be logged in order to save the order. So if user is not logged at this point, I redirect him to a login page. If user logs in successfully, his order should keep "alive" and user should be redirected to finish view-state.
How can I configure (I'm using java config) the security of my site ?
I used another approach. I always redirect to same page when a user is authenticated and I've added a special view-state to control registration if user is not logged.
I'm a newb to spring security and I'm not sure where to start. I have requirements to have a multi-page authentication. The first page authenticates the username, if the username exists the web app progresses to the password page. (site image) The second page authenticates the password, if successful then the user is authenticated. I'm not sure how to fit this into spring auth. Do I add multiple login-filters and authenticationproviders ? If I add multiple authenticationproviders, will I be authenticated after the first login ?
Page 1: User enters username. Submit this to your own controller where you check if the user exists. If the user exists, display page 2, pass the username in the model. You better not include Spring Security authentication in this step.
Page 2: User enters password. Use a readonly or hidden field to keep track of the username. Submit the form to Spring Security form login filter. You don't need multiple authentication providers.
Note: This approach has an information "leak"; any visitor can check whether a username exists in the system or not.
It depends on the kind of your authentication:
JDBCAuthentication
You can do with #holmis83 suggests.
LDAPAuthentication:
I am afraid tht you can't do that.
Need some idea on the process to land in a page after I login to my web portal. My requirement is I will enter Url of a particular page in to the browser, then system will check is the user is login to the system, if yes it will land on the page I have entered but if not then system will take me to the login page and after successful login I will be landed in to the page I have entered in the browser.
So, please tell me how to do it in plain servlet/Jsp model, Spring and Struts 1 and Struts 2.
Any post will be helpful
I know about basic jsp/servlet model.
Write a Servlet filter which will intercept every request from the brwoser, there check is the user is logged in or not. If logged in your normal flow will continue but if not then redirect to the login page. When you are redirecting to the login page, make sure you send the url hit by browser in the response. Now in client side hold the url send in response and after eneter credentials in login page when user will submit the record send the url (Hold in the client side from response) in the request and after successful login use Servelet Request dispatcher to land in the url.
I am not sure but spring-security has this feature and struts 2. But implementation process can be share by others who are familiar on this technologies. But in struts 1 it's not available and you have to do it manually.
it will very easy with spring security you just need to secure some path pattern. you doesn't need to add some code in your jsp or controller, example
for url /admin/* need administrator role
for url /user/* need user role
for url /public/* no need login (anynomous)
it just need configure at your spring-security.xml
you can start here